OAuth 2.0 and OpenID Connect are two of the most widely used protocols to support secure and frictionless access delegation and single sign-on login solutions within web and mobile native applications.
Our focus:
- Design of innovative scenarios: government profile, issuing and presentation of credentials using a wallet application
- Assist mobile native application developers with the secure implementation of OAuth and OIDC solutions
- Security analysis and pentesting of OAuth and OIDC solutions
Related Tools
- Micro-Id-Gym [documentation, code]
- mIDAssistant [documentation, code]
Related Publications
-
Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise
Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments
In: Proceedings of the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023) (DOI, news) -
Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news) -
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news) -
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
Awards: Best paper award -
Andrea Bisegna, Roberto Carbone, Silvio Ranise
Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI) -
Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
In: Journal of Information Security and Applications (JISA) (DOI, news) -
Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news) -
Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material) -
Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news) -
Giada Sciarretta, Roberto Carbone, Silvio Ranise, Alessandro Armando
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI) -
Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise
Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news) -
Giada Sciarretta, Roberto Carbone, Silvio Ranise
A delegated authorization solution for smart-city mobile applications
In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)
Related Theses
-
Amir Sharif (PhD Thesis, University of Genoa, 2021)
Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations (link)
Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta -
Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
A pentesting tool for OAuth and OIDC deployments
Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone -
Davide Piva (Bachelor's Thesis, University of Trento, 2019)
Assisting Developers in Securing OAuth 2.0 Deployment: Demystifying Threats and Protection Techniques for Bearer Credentials
Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta